Re: [webauthn] Return public key in attestedCredentialData on authenticatorGetAssertion (#1928) from Emil Lundberg via GitHub on 2023-07-26 (public-webauthn@w3.org from July 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jul 2023 10:52:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1651544272-1690368763-sysbot+gh@w3.org>

In fact it would be very bad to include the public key along with the assertion signature, because that would create an opportunity for confusing an RP with a valid signature by a different key than the one originally associated with the credential ID. The RP really should retrieve the public key from its own storage, to ensure that the mapping between credential ID and public key remains correct.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1928#issuecomment-1651544272 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 26 July 2023 10:52:47 UTC